[keycloak-user] Enable X.509 Client Certificate User Authentication only to specific realm

[Marek Posolda]

I think that on the Wildfly/Undertow level you can configure if client 
authentication is:
- mandatory
- optional (which means it is possible to be used, but things won't 
break if client certificate is not used)
- none

See docs (and Wildfly docs) for more details how to configure it.

I think that if you use the "optional", it will be possible that client 
certificates won't be used if you use them in realm1 (also you may need 
to ensure that X509 certificate authenticator is not in the browser flow 
of realm1).

Marek

On 24/01/2019 11:22, roberto palmarin wrote:
> Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate.
> Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password.
>
> I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method!
>
> I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication.
> The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level.
> is it possible to have the correct value of authnContextClassRef in the keycloak SAML response?
>
> Thank'sRoberto Palmarin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user